6d17ef161703adeb63bed1a59340dfa4

From aldeid
Jump to: navigation, search

Identification

General information

  • SHA256: 4131c4449dd1c0364d0f182225f5457acb7fe466cf03a314e1ac8cae24d672c0
  • SHA1: f9bdb5d3d0b27020b38e8ca3d9598c30f6375cd3
  • MD5: 6d17ef161703adeb63bed1a59340dfa4
  • File size: 47.4 KB ( 48536 bytes )
  • File name: AQSZDC.exe
  • File type: Win32 EXE
  • Tags: peexe signed

Detection

Antivirus Result Update
AVG Generic34.BPLO 20130904
BitDefender Trojan.GenericKDV.1217763 20130905
Commtouch W32/Backdoor.AHNI-0007 20130905
Comodo TrojWare.Win32.Trojan.Agent.Gen 20130905
DrWeb Trojan.DownLoader6.34128 20130905
Emsisoft Trojan.GenericKDV.1217763 (B) 20130905
ESET-NOD32 Win32/Remtasu.S 20130905
F-Secure Trojan.GenericKDV.1217763 20130905
Fortinet W32/Menti.ILO!tr 20130905
GData Trojan.GenericKDV.1217763 20130905
Jiangmin Trojan/Refroso.vti 20130903
Kaspersky Backdoor.Win32.Xtreme.addr 20130905
McAfee Artemis!6D17EF161703 20130905
McAfee-GW-Edition Artemis!6D17EF161703 20130905
MicroWorld-eScan Trojan.GenericKDV.1217763 20130905
NANO-Antivirus Trojan.Win32.Xtreme.cesozs 20130904
Norman Injector.DIRT 20130905
Panda Trj/CI.A 20130904
Sophos Mal/EncPk-NST 20130905
Symantec WS.Reputation.1 20130905
TrendMicro-HouseCall TROJ_GEN.F47V0829 20130905
VIPRE Trojan.Win32.Generic!BT 20130905

Behavior

Key, Mouse, Clipboard, Microphone and Screen Caputering

  • Installs a global keyboard hook

File activities

  • Source: iexplore.exe:
    • file:///c:/documents%20and%20settings/all%20users/start%20menu/programs/startup/jbxinitvm.a
    • file:///c:/jbxinitvm.a
  • Creates a copy in
    • C:\Documents and Settings\Administrator\Application Data\AQSZEDFRTG\AQSZDC.exe

Networking

URLs

  • http://bibilomp.servemp3.com:2012/1234567890.functions (Source: iexplore.exe)
  • http://moimoi.falayar10.eu:2011/1234567890.functions (Source: iexplore.exe)
  • http://cacerts.digicert.com/digicertassuredidcodesigningca-1.cr (Source: svchost.exe)
  • http://cacerts.digicert.com/digicertassuredidcodesigningca-1.crt0 (Source: AQSZDC.exe)
  • http://cacerts.digicert.com/digicertassuredidrootca.cr (Source: svchost.exe)
  • http://cacerts.digicert.com/digicertassuredidrootca.crt0 (Source: AQSZDC.exe)
  • http://crl3.digicert.com/assured-cs-2011a.crl (Source: svchost.exe)
  • http://crl3.digicert.com/assured-cs-2011a.crl03 (Source: AQSZDC.exe)
  • http://crl3.digicert.com/digicertassuredidrootca.crl (Source: svchost.exe)
  • http://crl3.digicert.com/digicertassuredidrootca.crl0: (Source: AQSZDC.exe)
  • http://crl4.digicert.com/assured-cs-2011a.cr (Source: svchost.exe)
  • http://crl4.digicert.com/assured-cs-2011a.crl0 (Source: AQSZDC.exe)
  • http://crl4.digicert.com/digicertassuredidrootca.cr (Source: svchost.exe)
  • http://crl4.digicert.com/digicertassuredidrootca.crl0 (Source: AQSZDC.exe)
  • http://ocsp.digicert.com (Source: svchost.exe)
  • http://ocsp.digicert.com0c (Source: AQSZDC.exe)
  • http://ocsp.digicert.com0l (Source: AQSZDC.exe)
  • http://www.digicert.com/ssl-cps-repository.ht (Source: svchost.exe)
  • http://www.digicert.com/ssl-cps-repository.htm0 (Source: AQSZDC.exe)

Frequency

Very regular HTTP traffic to:

  • http://bibilomp.servemp3.com:2012/1234567890.functions
  • http://moimoi.falayar10.eu:2011/1234567890.functions

Refroso.png

Process

Spawns processes:

  • AQSZDC.exe (PID: 456 MD5: 6D17EF161703ADEB63BED1A59340DFA4)
    • AQSZDC.exe (PID: 1336 MD5: 6D17EF161703ADEB63BED1A59340DFA4)
      • svchost.exe (PID: 1280 MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18)
      • iexplore.exe (PID: 456 MD5: B60DDDD2D63CE41CB8C487FCFBB6419E)
      • explorer.exe (PID: 1948 MD5: 12896823FB95BFB3DC9B46BCAEDC9923)

Persistence

  • Creates an autostart registry key:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run QWXDRFGTT (seems to be randomly generated. Also seen AQSZEDFRTG)
  • Creates an undocumented autostart registry key
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7541A31G-F31E-BY1V-EBFN-F4YWN6RB18R6} StubPath

Obfuscation

  • Entry point lies outside standard sections
  • PE file contains sections with non-standard names:
Sections:
Idx Name          Size      VMA               LMA               File off  Algn
  0 juiko         00001dc8  00401000  00401000  00000400  2**4
                  CONTENTS, ALLOC, LOAD, READONLY, CODE, DATA
  1 gtyhu         00000010  00403000  00403000  00002200  2**2
                  CONTENTS, ALLOC, LOAD, DATA
  2 ujhgtf        000001e0  00404000  00404000  00002400  2**5
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  3 azaz          00000150  00405000  00405000  00000000  2**3
                  ALLOC
  4 ererer        00000344  00406000  00406000  00002600  2**2
                  CONTENTS, ALLOC, LOAD, DATA
  5 .rsrc         00002a24  00407000  00407000  00002a00  2**2
                  CONTENTS, ALLOC, LOAD, DATA
  • PE sections with suspicious entropy found

Mutex

Creates mutexes:

  • \BaseNamedObjects\NWH6cPERSIST (Source: C:\WINDOWS\system32\svchost.exe)
  • \BaseNamedObjects\NWH6c (Source: C:\Program Files\Internet Explorer\iexplore.exe)
  • \BaseNamedObjects\NWH6cEXIT (Source: C:\WINDOWS\system32\svchost.exe)
  • \BaseNamedObjects\XTREMEUPDATE (Source: C:\AQSZDC.exe)

Analysis

strings

ntdll
libgcj_s.dll
egisterClasSes
m4645
Dqsaazere
SetThreadContext
ResumeThread
../../runtime/pseudo-reloc.c
VirtualQuery (addr, &b, sizeof(b))
../../../../gcc-4.4.1/libgcc/../gcc/config/i386/
ygming-shared-data.c
0 && "Couldn't retrieve name of GCClib shared data atom"
ret->size == sizeof(__cygming_shared) && "GCClib shared data size mismatch"
0 && "Couldn't add GCClib shared data atom"
-GCCLIBCYGMING-EH-TDM1-SJLJ-GTHR-MINGW32
AddAtomA
ExitProcess
FindAtomA
GetAtomNameA
GetModuleHandleA
GetProcAddress
OpenProcess
SetUnhandledExceptionFilter
VirtualProtect
VirtualQuery
__getmainargs
__p__environ
__p__fmode
__set_app_type
_assert
_cexit
_iob
_onexit
_setmode
abort
atexit
free
malloc
memcpy
signal
MessageBoxA
KERNEL32
dll.
msvcrt.dll
USER32.dll

Links

Comments

blog comments powered by Disqus

Keywords: 6d17ef161703adeb63bed1a59340dfa4